Unable to connect to WPA2-Enterprise since 2.4-r1: WPA_ALG_PMK bug?

Jouni Malinen j at w1.fi
Fri Jul 10 14:07:31 EDT 2015

On Wed, Jul 08, 2015 at 11:47:17PM +0100, David Woodhouse wrote:
> On Wed, 2015-07-08 at 22:11 +0300, Jouni Malinen wrote:
> > 
> > RSN: Stop connection attempt on apparent PMK mismatch

> wlo1: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
> wlo1: RSN: PMKID mismatch - authentication server may have derived different MSK?!
> wlo1: CTRL-EVENT-DISCONNECTED bssid=18:33:9d:0c:da:de reason=1 locally_generated=1
> We end up *blacklisting* the offending BSSIDs and not trying them again
> for a while... would it be possible to start by disabling TLSv1.2 for
> the offending BSSIDs, rather than giving up entirely?
> That might be a simpler workaround than the other one (which I'm about
> to test).

It would certainly be simpler, but I don't really like the idea of
wpa_supplicant disabling TLSv1.2 completely at least as far as modifying
the network configuration is concerned. I guess I could live with a
temporary disabling of TLSv1.2 (i.e., just do that outside the
persistent configuration parameters and for limited duration). However,
I'd rather do that only in case this can really be shown to be because
of the incorrect MSK derivation. Or well, I guess it could be considered
secure enough to do this even without checking the "alternative MSK
derivation" and just check that TLSv1.2 was used during the exchange.
That would already be enough to show that TLSv1.2 was successfully
completed which would make it quite a bit less likely for an attacker to
be able to use this for a downgrade attack.

An attack would still be possible with the simple implementation,
though, since all it takes is a quick transmission of a bogus EAPOL-Key
msg 1/4 immediately after the EAP-Success message which would be doable
without that much effort.. In other words, I'm not really sure I would
be accepting such a change into hostap.git or well, at least not
enabling that behavior by default and with that in mind, it might be as
simple to just have an out-of-tree patch available for anyone who wants
to build a binary with such a capability while understanding the
implications this would have on security (allowing TLS downgrade attack
from v1.2 to v1.0/1.1).
Jouni Malinen                                            PGP id EFC895FA

More information about the HostAP mailing list